Responder can Invoke Undefined Behavior in libspdm Requester

[steven-bellock]

Following a successful CAPABILITIES response a libspdm Requester stores the Responder's CTExponent into its context without validation. If the Requester sends a request message that requires a cryptography operation by the Responder, such as CHALLENGE, libspdm will calculate the timeout value using the Responder's unvalidated CTExponent.

((uint64_t)2 << context->connection_info.capability.ct_exponent)

If the value of CTExponent is greater than or equal to 64 then C language undefined behavior is invoked.
Note that libspdm provides a method to query the value of the CTExponent after VCA.

This also happens with RDTExponent. Note also that shifting the value 2 is incorrect. It should be 1.

[wmaroneAMD]

The spec does not specify a limit beyond the maximum value of a single byte. What was the reasoning for limiting it to <= 2^31?

[steven-bellock]

It seems like a reasonable maximum value. If a Responder takes 35 minutes to process a response does any Requester really want to talk to it?

[wmaroneAMD]

Entirely fair. This does seem like a diversion from the spec as a result of a gap in the spec. In addition to this upper-bound here, could we move to have this upper bound defined in the spec for future versions of SPDM?

[steven-bellock]

I filed https://github.com/DMTF/SPDM-WG/issues/2799 but it was not approved for SPDM 1.x. So that would get fixed in SPDM 2.0, whenever that happens.

[wmaroneAMD]

@steven-bellock thank you for doing that, it's minor but it makes the spec better. Would you be OK adding that link in a comment near those defines, to provide guidance in case someone else comes across this?

[steven-bellock]

Sure.